Introduction to Cybersecurity &

Information Assurance for FQHCs

April 13, 2011
Amelia Muccio
Director of Emergency Management
amuccio@njpca.org

Objectives

Cybersecurity
Information assurance
FQHCs as target
Cyber threats/risks
Vulnerabilities
Countermeasures
Safeguarding
Promoting a culture of
security

Serious Threat
Richard Clarke was famously heard to say, "If
you spend more on coffee than on IT security,
then you will be hacked. What's more, you
deserve to be hacked.
The growing number of attacks on our cyber
networks has become, in President Obamas
words, one of the most serious economic and
national security threats our nation faces.

Who & What is At Risk?

Economy
.
Defense
Transportation
Medical
Government
Telecommunications
Energy Sector
Critical Infrastructure
Computers/Cable
TV/Phones/MP3/Games

Fundamental Concepts of Information Assurance

Confidentiality (privacy)
Integrity (quality, accuracy, relevance)
Availability (accessibility)
CIA triad

Internet
In 1995, 16 million users (0.4%)
In 2010, 1.6 billion users (23.5%)
Unable to treat physical and cyber security
separately, they are intertwined.

How Does an Attack Happen?

Identify the target

Gather information
Plan/Prepare the attack
Attack

Information Gathering
.

Attack Trends

Increasing sophistication
Decreasing costs
Increasing attack frequency
Difficulties in patching systems
Increasing network connections,
dependencies, and trust relationships

What Threatens Information?

Misuse
Disasters
Data interception
Computer theft
Identify/Password theft
Malicious software
Data theft/corruption
Vandalism
Human error

Threats
A threat is any potential danger to
information and systems
3 levels of cyber threats
Unstructured
Structured
Highly structured

Unstructured Threats
Individual/small group with little or no
organization or funding
Easily detectable information gathering
Exploitations based upon documented
flaws
Targets of opportunity
Gain control of machines
Motivated by bragging rights, thrills, access
to resources

Structured Threats
Well organized, planned and funded
Specific targets and extensive information
gathering to choose avenue and means of
attack
Goal-data stored on machines or machines
themselves
Exploitation may rely on insider help of
unknown flaw
Target drives attack
Organized crime/black hat hackers

Highly Structured Threats

Extensive organization, funding and
planning over an extended time, with goal
of having an effect beyond the data or
machine being attacked
Stealthy information gathering
Multiple attacks exploiting unknown flaws
or insider help
Coordinated efforts from multiple groups
Cyber warfare

Web as Weapon

Infrastructure run by computers

Government SCADA system
Overflow dam, disrupt oil supply
Sewage plant in Australia overflowed due to
black hat hackers
Cyberterrorism (Bin Laden and Aum Shinrikyo)
Combined attack
Cause power outage and biological attack
EMS disruption and nuclear emergency
Next war fought with code & computers

Hackers and Crackers

White hat hacker-curious, explore our own
vulnerabilities, bragging rights/just did it.
Black hat hacker/cracker-malicious intent,
exploit vulnerabilities for monetary profit or gain
or perpetrate a crime, organized crime.
Gray hat hacker-helpful or ethical hacker,
motivated by a sense of good. Cowboys.
GHHs find vulnerabilities, notify company of
them so they can be fixed and resolved.

Gray Hats
Adrian Lamo
Find vulnerabilities, inform company
WorldCom, Google, NYTimes, Bank of America,
NASA
NYTimes used SSN # as passwords
Edited Yahoo Story
Robert Lyttle
DoD, Pentagon
Both got into trouble!

Early DaysPhone Phreaking

2600 Hz Tone
Captain Crunch Whistle & 4th E above Middle C
Long whistle reset line, then dial w/whistle
Tricked phone companies/tone dialing
Free long distance and international calls

Risk
Threat + Vulnerability
Likelihood of an undesirable event
occurring combined with the magnitude of
its impact?
Natural
Manmade
Accidental or Intentional
People are the weakest link

Risk Management
Identifying and assessing risk, reducing it
to an acceptable level and implementing
mechanisms to maintain that level
Protect against:
Physical damage
Human error
Hardware failure
Program error
Cyber attack

Risk Handling Discussion

Risk reduction (countermeasures, HVA)

Risk transference (insurance)
Risk acceptance (may happen)
Risk rejection (do nothing)
Security assessments are an important part
of risk management
Penetration testing
Identify all vulnerabilities and threats to
information, systems and networks

Contingency Planning Components

How to handle disruption?

Business continuity
Disaster recovery
Incident response

Recovery Strategy
A recovery strategy provides direction to
restore IT operations quickly and
effectively
Backup methods
Alternate sites
Equipment replacement
Roles and responsibilities
Cost considerations

BCP
A comprehensive written plan to maintain
or resume business operations in the event
of a disruption
Continue critical business operations
Jeopardize normal operations
Most critical operations
May require alternate sites (hot, warm,
cold)
What do we need to KEEP going?

DRP
A comprehensive written plan to return
business operations to the pre-disruption
state following a disruption
Restore IT functions (prep and restore)
Jeopardize the normal operations
Includes all operations
RETURN TO NORMAL BUSINESS
OPERATIONS
WHAT DO WE NEED TO DO IN CASE
OF A DISASTER?

Plan Testing, Training and Exercising

Testing is a critical to ensure a viable
contingency capability
Conduct plan exercises
TTXs are useful

Policies and Procedures

Establish security culture
Establish best security practices
Define goals and structure of security
program
Educate personnel
Maintain compliance with any regulations
Ex: email policy, Internet usage, physical
security

Physical Security Countermeasures

Property protection (door, locks, lightening)

Structural hardening (construction)
Physical access control (authorized users)
Intrusion detection (guards, monitoring)
Physical security procedures (escort visitors,
logs)
Contingency plans (generators, off site storage)
Physical security awareness training (training for
suspicious activities)

Personal Security
Practices established
.
to ensure the safety
and security of
personnel and other
organizational assets
Its ALL about people
People are the weakest
link
Reduce vulnerability
to personnel based
threats

Personal Security Threat Categories

Insider threats-most common, difficult to
recognize
Includes sabotage and unauthorized
disclosure of information
Social engineering-multiple techniques are
used to gain information from authorized
employees and using that info in
conjunction with an attack
Not aware of the value of information

Social Engineering
Being fooled into giving someone access
when the person has no business having the
information.

Dumpster Diving and Phishing

DD-rummaging through companys
garbage for discarded documents
Phishing-usually takes place through
fraudulent emails requesting users to
disclose personal or financial information
Email appear to come from a legitimate
organization (PayPal)

P&P
Acceptable use policy-what actions users
may perform while using computers
Personnel controls-need to know,
separation of duties
Hiring and termination practicesbackground checks, orientation, exit
interview, escorting procedure

Private Branch Exchange (PBX) Systems

Toll fraud
Disclosure of information
Unauthorized access
Traffic analysis
Denial of Service (DoS)

PBX Threat Countermeasures

Implement physical security

Inhibit maintenance of port access
Enable alarm/audit trails
Remove all default passwords
Review the configuration of your PBX
against known hacking techniques

Data Networks
For computers to communicate
Less expensive to use same network
Modems designed to leverage this asset

Modem Threats
Unauthorized and misconfigured modems
Authorized but misconfigured modems

Wardialing
Hackers use a program that calls a range of
telephone numbers until it connects to an
unsecured modem and allows them dialup
access
Identify potential targets

Modem Threat Countermeasures

Policy
Scanning
Administrative action
Passwords
Elimination of modem connections
Use a device to protect telephony-based
attacks and abuses

Voice Over Internet Protocol (VoIP)

VoIP is a technology that allows someone
to make voice calls using a broadband
Internet connection instead of a regular
(analog) phone line

VoIP Benefits and Threats

Less expensive
Increased functionality
Flexibility and mobility
Service theft
Eavesdropping
Vishing
Call tampering

VoIP Threat Countermeasures

Physical control
Authentication and encryption
Develop appropriate network architecture
Employ VoIP firewall and security devices

Data Networks

Computers linked together

Hosts (computers, servers)
Switches and hubs
Routers

Common Network Terms

Local Area Network (LAN)-network
grouped in one geographic location
Wide Area Network (WAN)-network that
spreads over a larger geographic area
Wireless LAN (WLAN)-is a LAN with
wireless connections

Data Network Protocols

Transmission Control Protocol (TCP)-moves data
across networks with a connection oriented
approach
User Datagram Protocol (UDP)-moves info
across networks with a connectionless oriented
approach
Internet Control Message Protocol (ICMP)-OS to
send error messages across networks
Hypertext Transfer Protocol (HTTP)-transfers
web pages, hypermedia

Data Network Threats

Information gathering
Denial of Service (DoS)
Disinformation
Man-in-the-middle
Session hijacking

Information Gathering Threats/Network

Scanning
What target is available?
Reduces time on wasted effort (attacker)
One of the most common pre-attack identification
techniques is called scanning
Scanning uses ICMP service PING
PING SWEEP-echo request to range of addresses
(provides list of potential targets)
Are you there? Yes, I am there.
Firewall should protect against

Sniffing
A sniffer is a program that monitors and
analyzes network traffic and is used
legitimately or illegitimately to capture data
transmitted on a network

Denial of Service (DoS)

Degrade and prevent
operations/functionality
Distributed denial of service (DDoS) attack
uses multiple attack machines
simultaneously
Vast number of ICMP echo request packets
are sent to the target, overwhelming its
capability to process all other traffic

Ping Flood/Ping of Death

Ping flood-too much ping traffic drowns
out all other communication
Ping of Death-oversized or malformed
ICMP packets cause target to reboot or
crash
Host cannot cope with ping packets
Ping of Death relies on a vulnerability of
buffer overflow
Buffer overflow-size of input exceeds the
size of storage intended to be received

Smurf Attack (Ping Flood)

Large stream of spoofed Ping packets sent to a
broadcast address
Source address listed as the targets IP address
(spoofed)
Broadcast host relays request to all hosts on
network
Hosts reply to victim with Ping responses
If multiple requests sent to broadcast host, target
gets overloaded with replies

DDOS with Zombies/Botnet

Zombies-infected computers
Botnet-bunch of infected computers (same time)massive traffic
DDoS attack where a multitude of compromised
systems attack a single target
Flood of incoming messages to target system and
force a shut down
Google was target

Man-In-The-Middle Attacks
Instead of shutting down target networks,
attackers may want access
Access information between authorizes
parties and observes it
Uses a sniffer and gains information
Digital wiretapping
Types of attacks
Eavesdropping
Session hijacking

Network Attack Countermeasures

Countering the threats

Scans/Sniffing/Ping sweeps
DoS/DDoS
Smurf attack
Session hijacking
Eavesdropping

Ways to Recognize Scanning

System log file analysis

Network traffic
Firewall and router logs
Intrusion Detection Systems (IDSs)
NIDS Snort or HIDS OSSEC
Recognize as soon as possible
Perform regular monitoring

Defending Against Scanning-Use More than 1

Block ports at routers and firewalls

Block ICMP, including echo
Segment your network properly
Hide private, internal IP addresses
Change default account settings and
remove or disable unnecessary services
Restrict permissions
Keep applications and operating systems
patched

Sniffing Countermeasures

Strong physical security

Proper network segmentation
Communication encryption
To guard against sniffing, make sure
attacker cannot access a legitimate
communication stream

DoS and DDoS Countermeasures

Stop the attack before it happens

Block marching orders
Patch systems
Implement IDS
Harden TCP/IP
Avoid putting all eggs in 1 basket
Adjust state limits
Keep us from being targeted and lock down
assets

Snort (Network IDS)

Snorts open source network-based intrusion
detection system has the ability to perform realtime traffic analysis and packet logging on
Internet Protocol (IP) networks.
Snort performs protocol analysis, content
searching, and content matching.
The program can also be used to detect probes or
attacks, including, but not limited to, operating
system fingerprinting attempts, common gateway
interface, buffer overflows, server message block
probes, and stealth port scans.
FREE

Other Countermeasures
Encrypted session negotiation (ensure
handshake process)
Repeating credential verification during the
session (kick out hijackers)
Partitions
User training (all personnel can understand
security)

Defense-In-Depth
Defense-in-depth is an information
assurance (IA) strategy in which multiple
layers of defense are placed throughout an
information technology (IT) system.
It addresses security vulnerabilities in
personnel, technology and operations for
the duration of the system's life cycle.

Perimeter Defense Countermeasures

Router security
Demilitarized Zone
Bastion host
Firewalls
Intrusion Detection Systems
Intrusion Prevention Systems
Virtual Private Network
(Defensive technologies)

Routers
First line of perimeter defense
Connects external environment to internal
network
Securely configured
Audit regularly
Keep patched and updated

DMZ
Machine or machines accessible by the
Internet, but not located on the internal
network or the Internet
Web server
Email server
Should not contain much valuable data
IDS sensor to detect malicious traffic

Bastion Host Harden/Locked Down

Highly exposed to attacks in DMZ

Web server
Email server
Locked down/hardened system
Unnecessary services disabled
No unnecessary applications
Fully patched
Unnecessary ports closed
Unnecessary accounts disabled

Firewalls
Control connections from one network (or portion
of network) to another (restrict Internet access)
Enforce security policy
Hardware or software
Firewalls DO NOT monitor connections not
passing directly through itnot a magic bullet
Even perfectly configured is still vulnerable
Packet filtering
Proxies
Stateful inspection

Intrusion Detection System (IDS)

Detects suspicious activity
Alerts upon discovery of possible compromise
attempts
Compromised of several components
Sensors
Analyzers
Administrator interfaces
IDS can search for attacks, terminate connections,
send real time alerts, protect system files, expose
hacking techniques, illustrate vulnerabilities and
even assist in tracking down hackers

Common Types of IDS

Host based-mail server, web server or
individual PC
Network based-network itself,

Virtual Private Networks (VPN)

A secure, private data connection through a
non-secure public network
Often through the Internet
Uses encryption and tunneling protocols

Wireless Technology
Allows
communication
between multiple
systems/devices
without physical
connection
Much less expensive
than wired solutions
WLAN

Wireless Threats and Countermeasures

Access point mapping

Service Set Identifier (SSID) broadcasting
Default SSID
Radio frequency management
Default settings
Authentication
Bluetooth security

Access Point Mapping

WLAN version of
.
wardialing
An AP is a device
connecting a wired
network to wireless
devices using radio
frequency
Software (net stumbler,
air snort, void11)
Warchalking (available
access points)

Service Set Identifier (SSID) Broadcasting

Beaconing-this is the continuous
announcement by a Wi-Fi access point that
it is available.
SSID is name assigned to the wireless
connection
Default SSIDs poses a security risk even if
the AP is not broadcasting b/c default
names are widely known

Radio Frequency Management

The signal should die out before it reaches
the physical boundaries of the property
This helps unauthorized users from driving
by and intercepting confidential wireless
signals

Default Settings
Many access points arrive with no security
mechanism in place
Changing the default settings before
deployment should be a matter of
organizational practice

Authentication Issues
Open system-SSID, subject to sniffing
Shared key-SSID plus WEP encrypted key
required, subject to man-in-the middle
attacks
Many wireless networks do not contain
adequate authentication mechanisms
Both Open and Shared are considered weak

Authentication Issues
WEP standard proven
insufficient
Replaced with Wi-Fi
Protected Access
(WPA)
WPA demonstrates its
own weaknesses
Replaced by WPA2
which is viewed as
more secure

Bluetooth Security
Popular short-range technology
Used for many personal electronic devices
including phones, music players, etc.
Threats
Bluejacking-sending unsolicited messages to
Bluetooth devices
Bluesnarfing-unauthorized access of information
from a wireless device through a Bluetooth
connection
Bluebugging-unauthorized control of Bluetooth
assets

Operating System
A program that acts as an intermediary between a
computer user and the computer hardware
GUI Graphical User Interface
Process management
Main memory management
File management
I/O system management
Secondary storage management
Network management
Protection system management
User interface management

Operating System Security

Confidentiality: only let authorized entities
access computer and information
Integrity: only allow authorized changes to
information
Availability: manage resources to permit
access to information and system at all
required times

Authorization and Authentication

WHO IS AUTHORIZED?
Authorized by policy of organization and
operational requirements
HOW DO WE KNOW?
Accounts (identification)
Known systems
Passwords
Secure communication channel

Access Control
Verifying the identity of entities before
granting access and restricting access
Controls how users and systems
communicate and interact with other
systems and resources
First line of defense
Authenticate before allowing access to
authorized resources
Policies, locks, passwords
Social media policies??

Auditing
A trail to follow
Creation of logs
A log is a record of
events or activities
that occur
Detectable events
Collect and save in
secure information
Analyze results

Threats to OS
The basic problem with OS and computers
is that a system allows unauthorized users
to compromise the system to gain
unauthorized access to system resources
Weak/Broken identification
Weak internal security structures
Programming errors in operating system

Once Identified, Authorize

User accounts are the mechanism used to
identify and authorize people
Access control is based on identification
Most common authentication is a password
Password and account policies help
improve security

Implementing Policies
The whole access control process is driven
by policies and procedures
One part of the implementation is policies
is to implement a password policy that
makes it less likely that an attacker can
break into computer systems by
compromising a password

Password Policy
What makes a good
.
password policy?
New password
Reuse of old passwords
Length of validity
When can it be changed
Minimum length of
password
Complexity requirements
Should password be stored

Specific OS Attacks
Dos: attack on availability, consume resources
Hack: exploit a vulnerability to gain unauthorized
access to the system
Backdoor: An access method that bypasses the
normal security of the system
Memory issues: Memory is not erased before
given to another program
Escalation of privileges: user exploits
vulnerability to gain unauthorized access
Default settings: most OS ship with simplest
configuration, security disabled

Securing Systems
Perform system hardening
Find out what vulnerabilities are still
present
Fix them

Countermeasures: DoS
Set network and host firewall filters for
known bad traffic
Apply OS patches for know vulnerabilities
Limit time and resources to processes
Monitor for threat activity on the network
and host using IDS
Detect and block

Countermeasures: Hack the System

Use account and password policies
Change default accounts, settings,
passwords
Use restricted accounts for services
Apply OS patches for known vulnerabilities
Turn off unnecessary services
Watch for social engineering

Countermeasures: Backdoor

Backdoors are installed by the developer

Disable any unnecessary default accounts
Apply OS patches for known vulnerabilities
Scan system periodically
Monitor system

Countermeasures: Memory Issues

Memory management is an issues that has a
severe impact on performance
Apply OS patches for known vulnerabilities
Turn on security features
Reclaim memory on process termination

Countermeasures: Escalation of Privileges

Apply OS patches for known vulnerabilities
Monitor system
Establish restricted accounts for services
(dont run everything as administrator)

Countermeasures: Default Settings

Disable unnecessary accounts and services

Apply OS patches for known vulnerabilities
Follow lockdown procedures when possible
Monitor the system

Common Application Security Threats

Unauthorized access to applications: first line of
defense is access control
Cross-Site Scripting: browser allows code
injection
SQL injection: inserts independent queries into a
database
Buffer flow: input from a user exceeds the length
or other characteristics of an expected input
Arbitrary code execution: one of the common
methods used by attackers to execute commands
to take over or crash the targeted machine

Unauthorized Access Countermeasures

Determines what object can access application
Can be implemented based on users, permissions,
and folder structures
UserID and password
Honeypot is a trap set to detect, deflect, or in
some manner counteract attempts at unauthorized
use of information systems.

XSS Countermeasures

Vulnerability in web applications

Web server owner should:
Keep web server updated
Scan for XSS vulnerabilities
Configure applications and servers properly
User should:
Keep web browser updated
Practice safe web surfing
Attend awareness training

SQL Injection Countermeasures

Database vulnerability (credit card info/patient
information)
Input validation
Manual code review
Least privilege
When not required, disable privileges to stored
procedures, tables, etc.
Limit execution privileges to SELECT,
UPDATE, DELETE and user-stored procedures

Buffer Overflow Countermeasures

Software vulnerability and programming (C and
C++)
Stack buffer overflow Morris Worm
Write secure code
Use compiler tools to detect unsafe instruction
sets in application
Have a limited number of processes running
Keep your application updated with latest patches
from software vendor
Control privilege

Arbitrary Code Execution Countermeasures

Software bug
Install latest updates and Service Packs
Disable scripting and ActiveX (Drive by)
Configure application securely
Use alternate, safer applications

Drive by Download
Drive by Download is an unintended download of
computer software from the Internet:
1. Downloads which a person authorized but
without understanding the consequences (e.g.
downloads which install an unknown or
counterfeit executable program, ActiveX
component, or Java applet).
2. Any download that happens without a person's
knowledge.
3. Download of spyware, a computer virus or any
kind of malware that happens without a person's
knowledge.

Personal Information Threats

Unauthorized access to personal
information
Loss of personal information
Unauthorized disclosure of personal
information
Spoofing
Malicious software (Malware)

Unauthorized Access to Personal Information

Commonly done by cracking user
passwords
Recovering passwords from data that has
been stored in or transmitted by a computer
system
Password cracking methods
Dictionary
Hybrid
Brute force (every password WILL be
cracked)

Password Cracking (1-11)

andy
helen2008
Computer
Jonas_Puente
marykay
htimsnosaj
b1@nc@&l33
cold*beer
020973
n1h0nj1n
*pdbmc12

Loss of Personal Information

Human error, 32%

Software corruption, 25%
Virus attack (malware), 22%
Hardware failure, 13%
Sabotage, 6%
Natural disasters, 2%

Spoofing
A situation in which a person/program
successfully masquerades as another by
presenting false information.

Malicious Software (Malware)

Designed to damage/disrupt a system
without the owners consent.
Software that gets installed on your system
and performs unwanted tasks.
Pop ups to virus deployment.

Virus
Individual programs
that propagate by first
infecting executable
files or the system and
then makes copies of
itself.
Can operate without
your knowledge (visit
website, you open
attachment).
WE OPEN IT

Worm
Designed to replicate and spread from
computer to computer (attach to file and
run on their own)
WE DONT HAVE TO OPEN IT

Trojan Horse
Designed and written like normal programs
but have hidden code that can compromise
your system from remote user/computer.

Logic/Time Bomb
Program that lies dormant until it is
activated by something (date, message).

Spyware
Computer software that gathers information
about a computer user and transmits it
without your knowledge (benign or
malignant, websites or credit card
information).

Adware
Advertising supported software in which
advertisements are displayed while the
program is running.

Malware Goals
Malicious code threatens three primary security goals:
Confidentiality: Programs like spyware can capture
sensitive data while it is being created and pass it on to an
outside source.
Availability: Many viruses are designed to modify
operating system and program files, leading to computer
crashes. Internet worms have spread so widely and so
quickly that they have overloaded Internet connections
and email systems, leading to effective denial-of-service
attacks.
Integrity: Protecting information from unauthorized or
inadvertent modification. For example, without integrity,
your account information could be changed by someone
else.

Personal Information Security Countermeasures

Password policies
Backup
Cryptography
Spoofing countermeasures
Malware detection and prevention

Password Policies
History- 10 passwords

Max age- 120 days

Min age- 5 days or 0 for shoulder
surfing

Min length- 15 characters (at

least 8)
Complexity- enabled
Combo of upper & lower case &
special character & number
La2!xxxx
No dictionary words/patterns
No easily obtainable information

No birthdays, pet names,

fictional character, proper
noun, etc
Use of mnemonics

Backup
Copying files to a second medium for later
retrieval as a precaution in case the first medium
fails
Perform frequently
Keep in a separate location
93% of companies that lost their data center for
10 days or more due to a disaster filed for
bankruptcy within one year of the disaster
50% of businesses that found themselves without
data management for this same period filed for
bankruptcy immediately

Spoofing Countermeasures
Practice safe email usage and web surfing
Attend security awareness training

Malware Countermeasures
Only run software you can trust
Install antivirus software
Scan file attachments with antivirus
software before opening
Verify critical file integrity
BACKUP

Electronic Health/Medical Records

An electronic health record (EHR) is an evolving concept
defined as a systematic collection of electronic health
information about individual patients or populations
It is a record in digital format that is capable of being
shared across different health care settings, by being
embedded in network-connected enterprise-wide
information systems
Such records may include a whole range of data in
comprehensive or summary form, including
demographics, medical history, medication and allergies,
immunization status, laboratory test results, radiology
images, vital signs, personal stats like age and weight, and
billing information

Health Insurance Portability and Accountability

Act of 1996 (HIPAA)
The Office for Civil Rights enforces the HIPAA
Privacy Rule, which protects the privacy of
individually identifiable health information; the
HIPAA Security Rule, which sets national
standards for the security of electronic protected
health information; and the confidentiality
provisions of the Patient Safety Rule, which
protect identifiable information being used to
analyze patient safety events and improve patient
safety.

EHR
Advantages
Reduction of cost
Improve quality of
care
Promote evidencebased medicine
Record keeping and
mobility
Disadvantages
Costs
Time

Are EHRs Vulnerable? YES!

Vulnerabilities discovered, reported to
eHealth vendor and then patched
Patches take A LOT of time to fix
2,211 days (vendor) vs. 284 days
(Microsoft)
No one eHealth vendor in charge

Possible Issues
Unauthorized users can compromise
integrity and confidentiality
Unauthorized access to computer networks
Password protection (hacks and policies)
Subversive software (malware)
Disaster

Privacy and Security Issues

Data breaches
Theft
Lost devices
Social networking

Personally Identifiable Information (PII)

Information that permits the identity of an individual to be
inferred directly or indirectly
PII includes any information that is linked or linkable to
that individual, regardless of whether the individual is a
U.S. citizen, a legal permanent resident, or a visitor to the
United States
Apply the "need to know" principle before disclosing PII
to other personnel
Challenge the need for the requested PII before sharing
Consider PII materials for official use only
Limit the collection of PII for authorized purposes only

Examples of PII

Name
Date of birth
Biometrics
Mailing address
Phone #
Email address
Zip code
Account numbers
License information

Social Security #
Place of birth
License plate
Photos

Sensitive Data

Confidentiality of patient records

Mental health
Sexual health
Drug/alcohol
Minors
Intimate partner violence/sexual violence
Genetic information

Privacy and Security of EHR

Security program components and
regulatory requirements (HITECH, HIPAA,
Breach Notification Laws, State Laws)
Risk assessment and mitigation plans
Security program evaluation
Privacy and security awareness training for
all staff
Disclosure logs

Privacy and Security

Security audit programs will be under the
purview of the OCR (Office of Civil
Rights) which is expected to begin with
existing programs in 2011.
CIA Triad

Data Segmentation

Structured data fields

Common data definitions
Data entry
Locating data
Technology and codes
Building intelligence

Safeguarding PII
Store sensitive information in a room or area that has
access control measures to prevent unauthorized access by
visitors or members of the public (e.g., locked desk
drawers, offices, and file cabinets)
Never email sensitive information to unauthorized
individuals.
Never leave sensitive information on community printers
Take precautions to avoid the loss or theft of computer
devices and removable storage media
Destroy all sensitive information by appropriate methods
(paper shredder) when it is no longer needed
Notify your immediate supervisor if you suspect or
confirm that a privacy incident has occurred

Security Vulnerabilities and Countermeasures

Safeguard data
Monitor control on key systems and check
inadequate logging
Protect access control
Data encryption
Privacy awareness training
Create strong vendor management
Develop business continuity and incident
response plans

Security and Assurance Program

Protective measures to address potential cyber security
threats include:
Firewalls and virus protection systems
Password procedures
Information encryption software
Computer access control systems
Computer security staff background checks (at initial hire
and periodically)
Computer security staff training & 24/7 on-call technical
support
Computer system recovery and restoration plans
Intrusion detection systems
Redundant & backup systems, & offsite backup data
storage

In Summary

Identify vulnerabilities
Human error is biggest threat
Fix vulnerabilities (patches, etc.)
Have policies and procedures
Computer maintenance program
Educate staff
Stay informed of latest and greatest

References
Voice & Data Security: An Introduction to
Information Assurance (FEMA/DHS)
IS 906: Workplace Security Awareness
(FEMA)
EHR PPT, Nina Robinson, NJPCA